I. Overview
1. Version
Report server version | JAR Package | Plugin version |
---|---|---|
10.0.19 | 2021-10-14 | V1.0 |
2. Application scenarios
Users want to synchronize users from the LDAP server, but they need to dump the data in the LDAP server to other tables, which is insecure and very troublesome.
The user wants to directly synchronize the users in the LDAP server to the decision-making platform, and the related settings can directly reuse the LDAP authentication configuration.
3. Function introduction
By installing the "Synchronize LDAP Domain Users" plugin, you can directly select "Synchronize from LDAP server" when synchronizing user settings.
II. Plugin introduction
1. Plugin installation
Click to download the plugin:
Synchronize LDAP Domain User.zip
Designer plugin installation method reference: Designer plugin management
Server installation plugin method refer to: Server plugin management
2. Introduction to plugins
After the plugin is installed, when synchronizing users, the user source can select Plugin-LdapSync_Source_Text. As shown below:
III. Example
1. Configuring LDAP Authentication
The administrator logs in to the decision-making platform, clicks Manage > User > Global Setting, selects LDAP Authentication for the authentication method of the synchronized user, and fills in the configuration information. As shown below:
For the configuration method of LDAP authentication, please refer to: LDAP Authentication.
After filling in the parameters, click Test Connection. After the connection is successful, click Save, that is, the authentication method is configured successfully.
2. Enter the sync user edit page
1) If the administrator uses the sync user for the first time
The administrator logs in to the decision-making platform, clicks Manage > User > All Users, and clicks Synchronize Users.
Jump out of the prompt box "Keep the existing data unsynchronized or not, including imported/added users/Dept.-posit./role.", as shown in the following figure:
The update logic corresponding to different options is as follows:
Option | Definition |
---|---|
Reserve | If the existing user is not in the sync dataset, the user information and permissions will be preserved without modification. If an existing user is in the sync user source (same username):
|
Clear | The username, name, password, mobile phone, email, department, position, role, and permissions of the existing "manually added/imported users" on the platform are deleted, and the users are re-synchronized |
Note: According to the selected update logic, some user information is updated after the first synchronization.
Only users who have changed to sync type will be automatically updated after that.
After the synchronization, the dataset can no longer overwrite and update the built-in data, otherwise a conflict error will be reported.
2) If the data decision system is configured with synchronized users
The administrator directly clicks Synchornized User Management and selects the Edit button to enter the sync user configuration page.
3. Configure synchronization users
Select "Plugin-LdapSync_Source_Text" as the user source, the system will automatically read the configuration in Section III.1 LDAP Authentication and test connection. The synchronization user configuration is shown in the following figure:
Note 1: If "Synchronized User" has been configured before, and the user source is "Server Dataset", a prompt will pop up when switching, "After switching the user source, the original synchronization data will be cleared, including users and their departments, positions, roles, and permissions, etc. confirm the switch?", click "OK" to complete the LDAP user synchronization.
Note 2: If the LDAP authentication connection in section III.1 fails, a red prompt will appear in this step "Prompt: LDAP connection failed, please confirm the relevant configuration in the synchronized user-LDAP authentication".
1) Synchronization frequency
Supports two ways to perform synchronous user operations: Fixed Interval, Expression Setting.
Simple repetitive execution
The interval for automatically syncing users from the LDAP server, the default is 43200 seconds.
The synchronized user sets the synchronization frequency, which can automatically perform multiple synchronizations. After reaching the set frequency, the synchronization is performed automatically, and the changed data in the LDAP server is continuously synchronized to the platform.
Note: The synchronization frequency should not be too high, otherwise the background log will be continuously refreshed and the log volume will expand infinitely.
Expression settings
It supports setting the time point of task execution through Cron expression. The task can be repeated every day, repeated every other day, or single execution, etc. various combinations of trigger time points.
2) Editable
The Editable button is not checked by default. After checking, the user information can be edited in the synchronization state.
Users can edit name, mobile phone, and email address. The above fields of existing users will not be updated during automatic synchronization/manual synchronization. The specific functions are shown in the following table:
Note: Since the synchronization user LDAP authentication is turned on, all password-related operations for synchronized users are unavailable except for supervising users and built-in users: including setting the encryption method, forgetting the password, changing the password, resetting the password, etc.
User Identity | Description |
---|---|
Super administrator | 1) When synchronizing again, the name, mobile phone, and email fields of existing users on the platform will no longer be updated. 2) The names, mobile phones, and email addresses of all existing users on the platform can be edited, but roles cannot be edited. 3) Super administrator can edit his name, password, mobile phone, email address in "Account Settings" 4) You can use the "forgot password" function on the login page |
Sub-admin | 1) The name, mobile phone, and email address of the authorized synchronization user can be modified, but the role and password cannot be edited. 2) The name, password, mobile phone, email address of the authorized built-in user can be modified, and the role cannot be edited 3) The secondary manager can edit his name, mobile phone and email address in "Account Settings" |
General user | Synchronized users can edit their name, mobile phone, email address in "Account Settings" |
3) User
For user attribute fields, you need to select ObjectClass first, and then select the attribute value in ObjectClass.
Note: When configuring "Sync User", you do not need to configure a password, and the actual authentication is LDAP password authentication.
Configuration item | Description | Whether Required |
---|---|---|
ObjectClass | Select the ObjectClass to store user attributes | Required |
User duplicatie verification field | Run user duplicate verification field by username or user ID 1) If the user name is selected, the "User Name" field will be synchronized, and the value of the User ID field in the table will be randomly generated by the system 2) If user ID is selected, the "User ID + User Name" field is synchronized, and the ID field value in the table is the user ID in the LDAP server when the user is synchronized | Required |
Username | Select Username in User Atrributes The username stored in the LDAP server cannot use double-byte Japanese, Traditional Chinese, or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform. | Required |
User ID | Required only when "User ID" is selected in "User Repeat Verification Field" Select UID (User ID) in User Attributes | Required |
Name | Select Name in User Attributes | Required |
Mobile Phone | Select the mobile phone number in the user attributes | Not required |
Select the email address in the user attributes | Not required |
4) Department
For the department field, you need to select ObjectClass first, and then select the attribute value in ObjectClass.
The department can not be configured, but if ObjectClass is selected, the department name/department ID must be configured.
Configuration item | Description | Whether Required |
---|---|---|
ObjectClass | Select the ObjectClass to store department | Not required Either none or all |
Department Duplicate Verification Fields | Run department duplicate verification by department name or department ID 1) If the name is selected, the "Name" field will be synchronized, and the value of the ID field in the table will be randomly generated by the system。 2) If ID is selected, the "ID+Name" field is synchronized, and the ID field value in the table is the ID in the LDAP server when the user is synchronized | |
Department name | Select the department name in the department attributes | |
Department ID | Required only when "Department ID" is selected in "Department Duplicate Verification Field" Select UID (Department ID) in Department Attributes |
5) Role
For the role field, you need to select ObjectClass first, and then select the attribute value in ObjectClass.
The role attribute can not be configured, but if ObjectClass is selected, the role name/role ID must be configured.
Configuration item | Description | Whether Required |
---|---|---|
ObjectClass | Select the ObjectClass to store role | Not required Either none or all |
Role Duplicate Verification Fields | Run role duplicate verification by role name or role ID 1) If the name is selected, the "Name" field will be synchronized, and the value of the ID field in the table will be randomly generated by the system. 2) If ID is selected, the "ID+Name" field is synchronized, and the ID field value in the table is the ID in the LDAP server when the user is synchronized. | |
Role name | Select the role name in the role attributes | |
Role ID | Required only when "Role ID" is selected in "Role Duplicate Verification Field" Select UID (Role ID) in Role Attributes |
4. Effect View
If the LDAP system authentication is successful, and the LDAP domain user synchronization is successful.
The user enters the username stored in the LDAP server and the password in the LDAP server to enter the decision-making system, and performs corresponding operations according to the user's authority in the platform. As shown below:
Note 1: If the entered username does not exist in the platform, or the corresponding user in the platform is disabled, or the platform user restriction is enabled and the user is not included, it will not communicate with the LDAP server, and directly prompt "username or password" error" or "user unavailable".
Note 2: The user name stored in the LDAP server cannot use double-byte Japanese, traditional Chinese or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.
The password stored in the LDAP server cannot use double-byte Japanese, Traditional Chinese, Simplified Chinese, or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.